Introduction

In part 7 of this multi-part article series revolving around Exchange 2013 hybrid deployment based migrations to the new Office 365 or more precisely Exchange Online, we converted our custom managed domain to a federated domain, so that users will be able to authenticated against Office 365 using their UPN login.

In this part 8, we will continue where we left off in part 7. That is we will install and configure the Windows Azure Active Directory (WAAD Sync tool on our Windows Server 2012 domain-member server and start object synchronization from our on-premises Active Directory to the Office 365 tenant.

Activating Active Directory Synchronization

The first preparation step we want to complete before concentrating on installing and configuring the WAAD Sync tool on the respective domain member server in our on-premises environment is to activate directory synchronization for our Office 365 tenant. This can be done by logging on to the Office 365 portal followed by clicking on the “users and groups”. and from here click “Set up” to the right of “Active Directory synchronization” in the top of the page as shown in Figure 1 below.

Figure 1: Users and groups page in the Office 365 portal

Under “Set up and manage Active Directory synchronization”, click on the “activate” button in “step 3”.

Figure 2: Clicking on the activate button

You will now be asked whether you really wish to activate directory synchronization from your on-premises environment to Office 365. Since this is exactly what we want to do, click “activate” once again.

Figure 3: Do we really wish to activate directory synchronization?

Although we just activated directory synchronization, this will not occur instantly. As you can see in Figure 4, we need to wait up to 24 hours before it’s activated.

Figure 4: Activation in progress

Creating the WAAD Sync Service Account

While we wait for directory synchronization to complete, let’s create the service account that should be used for configuring directory synchronization. We should create this account in the Office 365 tenant. To do so, click “users and groups” and then hit the “plus” sign as shown in Figure 5.

Figure 5: Clicking “plus” sign

Enter the name and UPN logon for the account and click “next”.

Figure 6: Naming the account and giving it a UPN logon name

On the “settings” page, make sure to assign the account “Global Administrator” permissions. Also, specify the email address that should be used if there’s a need to someday reset the password for this account.

Click “next”.

Figure 7: Assigning the account Global Administrator permissions

Since the account should not be used to access any Office 365 services, leave all of them unticked and click “next”.

Figure 8: No need for any licenses

Now specify the email address to which the temporary password should be sent and click “create”.

Figure 9: Send results in email

On the “results” page, click “finish”.

Figure 10: Results page

Now log off the portal and log on again using the new accounts credentials.

Figure 11: Logging on to the portal with the new account

You will be asked to specify a new password for the account. Do so and click “save”.

Figure 12: Specifying a new password for the new account

Now you need to decide whether the new account, which can be considered a service account should follow the Office 365 password expiration policy meaning you need to change the password for the account every 90 days or if you rather want to set the password to never expire.

I’ll do the latter.

Since this can’t be done via the Office 365 portal, we need to connect to the Office 365 tenant using Windows PowerShell.

When connected to the Office 365 tenant, we can check the “PasswordNeverExpires” value with the following command:

Ok let's see whether active directory synchronization has been activated. As you can see in Figure 15, this is the case so we can move on to the next action, which is to install and configure the WAAD Sync tool.

Figure 15: Active directory synchronization is now activated

Installing and Configuring the WAAD Sync Tool

When directory synchronization has been activated, let’s switch back to the server on which we wish to install the WAAD Sync tool. You can download the latest version of the WAAD Sync tool from the Office 365 portal. More specifically under “users and groups” > “Set up” and here click the “download” button under “step 4”.

Figure 16: Downloading the WAAD Sync tool

From there launch the WAAD Sync tool setup wizard. On the “Welcome” page, click “Next”.

Figure 17: WAAD Sync tool setup wizard – Welcome page

Accept the license terms and click “Next”.

Figure 18: Accepting the license terms

On the “Select Installation Folder” page, click “Next”.

Figure 19: Select installation folder page

Let the installation finish. This can take a few minutes.

Figure 20: WAAD Sync tool is being installed

When installation has completed, click “Next”.

Figure 21: Installation complete

On the “Finished” page, make sure “Start Configuration wizard now” is ticked then click “Finish”.

Figure 22: Finish page

The WAAD Sync tool Configuration wizard will now launch. On the “Welcome” page, click “Next”.

Figure 23: WAAD Sync tool Configuration wizard

On the “Windows Azure Active Directory Credentials” page, enter the credentials for the service account we created in the previous section and click “Next”.

Figure 24: Entering the credentials for the WAAD Sync service account

On the “Active Directory Credentials” page, enter the credentials of an account with domain administrator permissions in the on-premises Active Directory.

Note:This does not need to be a dedicated service account as these credentials aren’t saved.

Click “Next”.

Figure 25: Entering the credentials of a domain administrator

We’re now taken to the Exchange hybrid deployment page. If the DirSync Configuration setup wizard detects Exchange 2010 SP1 (or later) servers in the on-premises Active Directory we will be able to tick “Enable Exchange hybrid deployment”.

Note:If the setup wizard doesn’t detect any Exchange 2010 SP1 (or later) servers, the tick box will be greyed out. Since we, in this article series, are dealing with an Exchange hybrid deployment based configuration based on Exchange 2013 servers, we wish to tick this option.

When ticking the “Enable Exchange hybrid deployment” box, we allow the WAAD Sync tool to perform write-back from Office 365 to the on-premises Active Directory for specific attributes. This is in order to allow support for features such as archive on-premises mailboxes in the cloud, off-board mailboxes from the cloud to on-premises Exchange servers, have on-premises filtering software take advantage of user made safe and blocked senders in the cloud and UM online voice mail.

With Exchange hybrid deployment enabled, write-back will be performed for the following attributes:

Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.

msExchUCVoiceMailSettings

Enable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 or later integration to indicate to Lync Server 2010 or later on-premises that the user has voice mail in online services.

Table 1: Write-back attributes when hybrid deployment is enabled

When you have ticked “Enable Exchange hybrid deployment”, click “Next”.

Figure 26: Ticking enable “Hybrid Deployment”

Now we reach the new “Password Synchronization” page, where we have the option to enable password synchronization from the on-premises Active Directory users to the user objects in the Office 365 tenant. With password synchronization we can achieve SSO as in “same sign-on” not SSO as in “single sign-on”, which is possible with ADFS based federation between the on-premises environment and the Office 365 tenant.

Since we use ADFS based federation in this article series, make sure “Enable Password Sync” is unticked and click “Next”.

Figure 27: Password synchronization page

Wait for the WAAD Sync tool configuration wizard to complete the configuration.

Figure 28: Completing configuration

When configuration has completed, click “Finish”.

Figure 29: Configuration complete

Now make sure “Synchronize directories now" is selected and then click “Finish”. This will initiate the first synchronization from the on-premise Active Directory to the metaverse and the export from the metaverse to the Office 365 tenant.

Figure 30: Finished page

You will receive the warning shown in Figure 31, which includes a link to a TechNet page that explains how you can verify synchronization works properly. Click “OK”.

Latest Podcast

Recommended

Follow Us

TECHGENIX

TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.